Being in the central position for network communication, Network Interface Card (NICs) can intercept, modify, and generate network packets. But little is known about how NICs can launch attacks that go beyond simple traffic sniffing and manipulation. In this work, we demonstrate how a malicious NIC can leverage a stock operating system to leak memory access patterns of user-space processes via a cache side-channel attack. Specifically, we uncover an exploitable gadget in the TCP/IP stack’s IP reassembly process that enables a Prime+Probe cache side-channel attack. Our approach achieves fine-grained control, targeting individual cache sets. We validate its practicality by establishing a high-accuracy bi-directional covert channel between a user application and the NIC that bypasses firewalls, achieving transmission rates of 0.1 bits/sec upstream and 0.76 bits/sec downstream. In addition, we demonstrate its application in monitoring system activity by detecting periods of keystroke activity of 20 users across multiple sessions with a precision of over 96%, highlighting the potential privacy risks.
European Symposium on Research in Computer Security (ESORICS)
2025
2026-05-13